Media Access Control Security (or MACsec) can provide secure communications on wired Local Area Networks (LANs). When MACsec is used to secure the communications between endpoints on a LAN, each packet on the wire may be encrypted using a symmetric cryptographic key so that communications cannot be monitored or altered. MACsec can provide data origin authentication, integrity protection, anti-replay protection and optional confidentiality of the data.
In some network security standards, for example, the IEEE 802.1x-2010 standard for MACsec in a Link Aggregation Group (LAG) scenario the Connectivity Association Keys (CAKs) may be derived on per port basis. This can lead to a number of CAKs equal to the number of member ports, which can be up to 16 CAKs per LAG.
Maintaining as many CAKs as ports in LAG can contribute to overhead on a control plane, as deriving and maintaining a CAK can be a CPU intensive process. Maintaining a CAK cache for a large number of CAKs can be a tedious task.
MACsec can be used in conjunction with 802.x-2010, which can provide EAP authentication and authorization, and a key derivation mechanism. A Connectivity Association Key (CAK) is the root key used in MACsec, which is derived using a Key Derivation Function (KDF) with a Master Session Key (MSK) provided by a server and MAC addresses of the link. A Security Association Key (SAK) is a symmetric key used for encryption/decryption of the data traffic being carried on the link. The SAK can be derived by the key server using a KDF with CAK, label, member Identifier (MI) and key length as input parameters.